The DIT structure follows the hierarchical LDAP model. The DIT organizes
data, for example, by group, by people, or by geographical location. It also
determines how data is partitioned across multiple servers.

DIT design has an impact on replication configuration and on how you
use Directory Proxy Server to distribute data. If you want to replicate or distribute
certain portions of a DIT, consider replication and the requirements of Directory Proxy Server at
design time. Also, decide at design time whether you require access controls
on branch points.

A DIT is defined in terms of suffixes, subsuffixes, and chained suffixes.
A suffix is a branch or subtree whose entire contents
are treated as a unit for administrative tasks. Indexing is defined for an
entire suffix, and an entire suffix can be initialized in a single operation.
A suffix is also usually the unit of replication. Data that you want to access
and manage in the same way should be located in the same suffix. A suffix
can be located at the root of the directory tree, where it is called a root suffix.

Because data can only be partitioned at the suffix level, an appropriate
directory tree structure is required to spread data across multiple servers.

The following figure shows a directory with two root suffixes. Each
suffix represents a separate corporate entity.

Figure 4–1 Two Root Suffixes in a Single Directory Server

A suffix might also be a branch of another suffix, in which case it
is called a subsuffix. The parent suffix does not include
the contents of the subsuffix for administrative operations. The subsuffix
is managed independently of its parent. Because LDAP operation results contain
no information about suffixes, directory clients are unaware of whether entries
are part of root suffixes or subsuffixes.

The following figure shows a directory with a single root suffix and
multiple subsuffixes for a large corporate entity.

Figure 4–2 One Root Suffix With Multiple Subsuffixes

A suffix corresponds to an individual database within the server. However,
databases and their files are managed internally by the server and database
terminology is not used.

Chained suffixes create a virtual DIT by referencing suffixes on other
servers. With chained suffixes, Directory Server performs the operation
on the remote suffix. The directory then returns the result as if the operation
had been performed locally. The location of the data is transparent. The client
is unaware that the suffix is chained and that the data is retrieved from
a remote server. A root suffix on one server can have subsuffixes that are
chained to another server. In this scenario, the client is aware of a single
tree structure.

In the special case of cascading chaining, the chained suffix might
reference another chained suffix on the remote server, and so on. Each server
forwards the operation and eventually returns the result to the server that
handles the client’s request.